SharePoint: Secure SharePoint content

Keeping the content stored within your SharePoint storage resources secure might be more complicated than you thought.

Dan Sullivan

Adapted from “The Essentials Series: Securing SharePoint Content” (Realtime Publishers)

Microsoft provides SharePoint-specific client applications such as SharePoint Workspace, but the standard for SharePoint access is a browser. There are many advantages to using a browser with SharePoint, including access to SharePoint hosting services and cross-platform support.

With these advantages, however, come technical challenges. Together, these challenges create conditions that hackers can exploit to steal or leak confidential data stored in SharePoint repositories.

You almost certainly have valuable content in your SharePoint collaboration sites. The documents stored there might include trade secrets about business processes and products, strategic plans for business expansion, or confidential information about clients and customers. The specifics aren’t important. The crucial point is that your SharePoint content will be targeted by attackers.

Think like an attacker

When you try to understand the risks to your content, it helps to think like an attacker. You don’t have legitimate access to the corporate network. You can’t easily walk the halls of the company. Your best bet is to steal information electronically.

You could invest the time and effort to probe the corporate network for vulnerabilities that would help you gain access to servers and applications. You could then work to avoid detection as you probe servers for software vulnerabilities, run password-detection programs, and try other means of compromising the servers.

But that’s just one approach to stealing content. There’s another path with potentially less resistance: targeting client devices. Client devices are often subject to fewer controls than servers. Users install applications or browser extensions. Laptops and mobile devices aren’t always connected to secure corporate networks. Users might browse compromised sites or open malicious e-mails that lead to malware infection.

In spite of your best efforts, client devices such as desktops and laptops can harbor malware that makes them easier targets than hardened servers. There are two particular types of external threats relevant to protecting SharePoint content: malware on the endpoint and browser cache mining.

Endpoint malware

There are many forms of malicious software (malware), including Trojan Horses, keyloggers and rootkits. Trojan Horses are applications that appear benign, but are in fact malicious. For example, a utility for displaying weather updates on your desktop might also scan your drives and copy data to a centralized server.

Keyloggers are designed to capture keystrokes as you type. This helps attackers collect usernames and passwords. Of course, attackers will also end up collecting everything else you type, but text-processing tools can easily analyze large volumes of keystroke data to find information of particular interest to attackers.

Rootkits are sets of programs that attack the OS at low levels. This helps them circumvent OS security controls. This kind of malware is especially difficult to eliminate. These are just three types of malware you might find on client devices.

Browser cache mining

A particularly promising target for some attackers is your browser cache. The browser cache is used to temporarily store data to improve browser performance. A cache is quite useful when navigating Web pages. For example, assume you’re reading a long article divided into several Web pages. If at some point during the article you decide to go back to the previous page, you’d probably click the previous page button on your browser. In theory, your browser could simply download the page again, but doing so would take time and consume network resources. Instead, your browser keeps copies of data in local temporary storage known as the cache.

This setup sounds like a reasonable resource trade-off. A certain amount of local storage is dedicated to temporarily storing browsing data in order to save time and network resources. Here again, you have to think like an attacker. Your SharePoint content, which may be well protected on the SharePoint server, might also be cached on endpoint devices. Malware designed to scan and analyze browser caches could gain access to your SharePoint content. This type of attack is known as cache mining.

The benefits of caching apply equally well to SharePoint and other Web content, so you won’t necessarily want to eliminate caching. You do, however, want to ensure confidential or sensitive information isn’t retained in the cache longer than needed. It should be cleared after a user’s SharePoint session has ended.

In addition to caching data to improve browser performance, some online applications let you store copies of data on client devices so those applications can work offline. This is useful for users who work in multiple locations or find themselves traveling with intermittent Internet access. The more data that’s stored locally, however, the greater the potential for a data leak.

Internal threats: careless and malicious employees

There are more pedestrian methods an attacker might use to steal valuable information. Some threats to business information stem from carelessness, while others have more malicious origins.

During the course of the day, many of us try to streamline tasks to save time. You might download documents and e-mail copies to collaborators who don’t have access to the content in SharePoint. You might justify this by thinking you’re working more efficiently. Your business partner might need a piece of information in a document, and you get it to him in the most efficient way possible. The problem with this approach is that you lose control of that digital copy of the document once it’s e-mailed.

At that point, you have no control over how your collaborator shares the document. Will it be deleted after only the necessary information is reviewed? Will it be forwarded to someone else? Will copies be stored on e-mail servers that might be attacked in search of valuable data? There’s also the question of whether additional content in the document needs to be shared. Does the collaborator need to know everything in the document? Could you compromise your business by sharing too much information?

These are difficult questions to answer. Rather than risk the negative consequences of such carelessness, organizations can implement security controls that block inappropriate copying of SharePoint content from client devices. These controls have the additional benefit of blocking disgruntled employees or others who might intentionally attempt to steal data such as client lists or design documents.

The bring your own device movement

Organizations are grappling with the increase of bring your own device (BYOD) practices. Employees are working with their own laptops, tablets and smartphones to access content and applications on corporate networks. Although there are tools to help manage laptops and mobile devices, organizations have less control over endpoints.

There are limits to what an IT organization can impose on BYOD users. This reality creates potential conflicts. IT professionals may be responsible for protecting corporate information assets, but employees expect reasonable control over their devices. The potential for conflicting expectations is high.

Consider a user who installs a browser extension to help monitor prices. When the user searches for a product or service, such as a flight from San Francisco to New York, the browser extension checks multiple sites and displays information about the best prices. To perform this kind of service, the extension needs access to the browser data. An employee might be willing to allow access to personal browsing information, but what about work-related browsing? Do IT professionals responsible for information security want SharePoint content exposed in that way?

In addition to apps and extensions your users intentionally install, you need to consider the possibility that employee-owned devices might not have adequate security controls in place. For example, do employees:

  • Keep their anti-malware software up-to-date? Databases used by anti-malware software are updated frequently. Endpoint anti-malware programs should be configured to automatically check for and download data and program updates.
  • Run vulnerability scanners to check for known vulnerabilities in software installed on the client? Vulnerability scanners were once limited to network and server administrators, but even end users can run tools such as Microsoft Baseline Security Analyzer on desktop and laptop devices.
  • Update OS and application software? Malicious software can take advantage of vulnerabilities in widely used productivity or utility software. Keeping software up–to-date is a key security practice.

BYOD has many advantages for both employees and employers. As with so many technologies and practices, though, there are benefits and drawbacks to employee-owned devices being used for business purposes.

Securing SharePoint content is challenging enough. Sending copies of documents from well-secured SharePoint servers to poorly secured endpoint devices can leave your information vulnerable to theft or leakage. Threats range from malware to malicious employees. Changes in the way you work, particularly the increasing practice of BYOD, compound the SharePoint security challenges you already face.

Dan Sullivan

Dan Sullivan has more than 20 years of IT experience in application design, systems architecture and enterprise security. He’s written and presented extensively about systems architecture, infrastructure management, and aligning business and IT strategies. He’s written several books, including “The Shortcut Guide to Prioritizing Security Spending,” “The Definitive Guide to Security Management” and “The Definitive Guide to Information Theft Prevention,” all from Realtime Publishers.

For more on this and other titles from Realtime Publishers, check out the company’s Web site.